How to disable 'X-Frame-Options' response header in Spring Security?

Bravo picture Bravo · Feb 21, 2015 · Viewed 133.3k times · Source

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

Answer

vtor picture vtor · Feb 21, 2015

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Here are available options for policy

  • DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
  • ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here.

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy, based on needs.